I am currently running a Multi-VPM enterprise network.
These VPNs are interconnected through several Inter-VPN gateways (Layer-2 firewalls). Each firewall is facing a PE terminating many VRFs of the network. In order to ensure stateful packet inspection I must make sure that the flows are symmetric. The easiest way to do so is to be able to have an end-to-end metric based on the addition of all IGP metrics along the way.
Our core IGP is OSPF and I run OSPF facing the Inter-VPN gateway.
My problem is that I could not find an easy way to have an end-to-end metric based on IGP metrics from network A attached to VRF Blue on site 1 to network B attached to VRF Red on site 2.
For example each PE facing the Inter-VPN gateway will have the same MP-BGP metric to a particular site. So when I redistribute I loose the information on the metric to reach the end site. I would like to be able somehow to add the next-hop metric to build an end-to-end metric based on IGP...
I hope it makes sense. I have attached a diagram showing the overall setup.
FYI I currently rely on extended communities to manipulate the metric at the Inter-VPN gateway level to try to simulate an end-to-end metric. But this is not scalable and I have route-maps growing at n*n rate...
• Prefer the path through the closest IGP neighbor
• Prefer oldest route for EBGP paths
• Prefer the path with the lowest neighbor BGP router ID
So you could use the MED value during redistribution or make sure that you reach the decision step "closest IGP neighbor (i.e. lowest OSPF metric to BGP next hop)"
Now writing all this I do start to understand you problem:
From Boston to "Apps. net" you´d like to prefer NY FW over Herndon, right?
This is indeed tricky, because one of the main ideas of MPLS VPN is to hide the MPLS backbone from the customer. Well more generally speaking: BGP does not include IGP core metrics in updates. This info is not there and so you can´t use it in the VRFs.
The only way I can think of is to manually set the metric based on BGP next hop, when redistributing back into OSPF (external metric) towards the FW. Use OSPF metric then to copy into BGP MED (redistribute FW->PE) and thus transport the info across the FW.
This way you would at least have only one route-map for redistribution with an entry per PE and not n*n.
Thanks for your prompt reply. Your idea is more elegant than my original setup, for sure!
You are right in your assumption that I would like to always use the nearest gateway between two networks (I also have gateways on the west coast or in Europe).
I have started to test it and I have no problem redistributing from MP-BGP to OSPF towards the firewalls. But I am a little bit puzzled on how to manipulate the MED while redistributing FW->PE. Would you be kind enough to show me a test configuration or point me in the right direction?
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
IntroductionIn this article we'll discuss how to troubleshoot packet
loss in the asr9000 and specifically understanding the NP drop counters,
what they mean and what you can do to mitigate them. This document will
be an ongoing effort to improve troublesh...